Could AES-256 be less secure if a portion of the key is known an attacker?

views:

110

answers:

+1 Q:

Could AES-256 be less secure if a portion of the key is known an attacker?

Disclaimer: this is just out of curiosity; I'm no expert at all when it comes to cryptography.

Suppose a 256-bit key is composed of the following (UTF-16) characters:
aaaaaaaabbbbcccc

Futher suppose that an attacker knows the last 4 characters of the key is cccc.
Does this knowledge make it easier for an attacker?

My guess is that it makes it easier for the attacker to brute-force the encrypted text, but my understanding is that brute-forcing AES-256 is a very difficult problem. Then again, there might be something I don't understand about AES itself that makes this type of knowledge more valuable for an attacker.

I don't think so. The hacker could guess the last 4 bytes [run through them brute-force], even if they didn't know, so knowing the last 4 bytes just reduces key space. [BTW, I'm not an "expert" either.]

muntoo 2010-09-20 00:29:25

+1 A:

Theoretically, it is less secure now.

Practically, as long as there are still at least 80 bits unknown to attacker, you are good to go.

BarsMonster 2010-09-20 00:30:43

+6 A:

I would say it's a bigger problem that your key's bytes are from UTF-16 characters, but in the ASCII character space (meaning you could have a key 32 ASCII characters long). As such 16 of the 32 bytes of your key are known to be 0x00. Knowing that the last 4 are c means that 4 more bytes have been compromised.

As such, you've really only got 12-bytes => 96-bits of your AES key unknown.

If your attacker assumes the alpha-numeric character space, that cuts it down by about a quarter as well (62 / 256).

With what you're working with, your key is pretty compromised (but not just because 4 characters of it are known)

A 256-bit key should give someone a 1 in 1.16 × 10^77 chance of guessing right. With your situation, it's about a 1 in 3.23 x 10^21 chance (basically 62^12), which is a LOT smaller.

UPDATE: I was a nerd and had to do the math. 12 alpha-numeric characters (upper and lower case) is roughly a 71-bit encryption strength. ( Math check = log(62^12)/log(2) )

userx 2010-09-20 00:46:16

Oh wow, yikes, that is a great point!

unforgiven3 2010-09-20 00:53:12

@unforgiven3: You shouldn't be using text directly as an AES key. The password text should be processed through a *Key Derivation Function*, like PBKDF2 (defined in [PKCS #5](http://www.rsa.com/rsalabs/node.asp?id=2127)). (This doesn't solve the problem of needing more entropy - only a longer password text can do that. But it allows a longer password that is longer than 32 bytes in UTF16 form to be used to generate a 256 bit key).

caf 2010-09-20 04:32:35

@caf - Completely agree

userx 2010-09-20 09:18:48

Thanks guys, that really clears things up for me. I appreciate it :-)

unforgiven3 2010-09-20 17:11:31

ansaurus

tags:

views:

answers:

Could AES-256 be less secure if a portion of the key is known an attacker?

related questions